Automated Security Scanning of 5G CNFs within 5GASP

The 5GASP certification program has recently enabled an automated security validation process for containerised network applications. Powered by a software security vulnerability scanning tool, designed by 5GASP and specifically for 5G CNFs, it has been seamlessly integrated with the 5GASP CI/CD pipeline, ensuring robust security checks for container images, Kubernetes configurations, and Helm chart installations.

Key Features of 5GASP Security

Some of the key features of the 5GASP security scanning tool is its ability to identify security issues in network application software components, with a proficiency in detecting operating system package and software dependencies, sourcing known vulnerabilities from common vulnerability and exposure (CVE) databases, and scanning applications in multiple languages (e.g., Java, Python, C++, RUST). The tool can scan related open source libraries used within the network application CNF code base, can scan for Infrastructure as Code issues and misconfigurations, and scan for the exposure of sensitive information and secrets within the CNF.

Critical CVE Security Vulnerability Scanning

Common Vulnerability and Exposure (CVE) databases play a crucial role in today’s cybersecurity landscape. The CVE database concept has emerged as a response to the increasing complexity of software and the growing number of security vulnerabilities. The need for a standardized method to identify and share information about vulnerabilities across diverse systems led to the creation of the CVE system.

Several CVE databases have become prominent for example the National Vulnerability Database (NVD), maintained by the US National Institute of Standards and Technology (NIST), is a comprehensive resource providing vulnerability data and severity scores.

In 5GASP the security vulnerability scanning tool hosts a set of tests that leverage a CVE database to specifically identify “Critical CVE” security vulnerabilities within network application CNF images.

The 5GASP security scanner uses different approaches to carry out the vulnerability scan, it will either retrieve a vulnerability report from a Harbor or Docker container repository via API calls, run a local version of the security scanning tool against the CNF image and produce a local vulnerability report, or conduct a vulnerability scan against a SPDX-formatted software bill of materials (SBOM) file of the CNF image.

A SBOM file is like a table of contents representation of the CNF and this type of vulnerability scan is an interesting one for network application developers who do not wish to expose the full code base of their CNF, but still require a security vulnerability report.

Vulnerability Results and Severity Levels

The 5GASP security scanner is integrated within the CI/CD pipeline of the 5GASP certification process and runs automatically across the network application CNF. The scanner is designed to fail a test if any “critical” security vulnerabilities are found. Critical here means as defined by the CVE standards program. A detailed report identifying the root cause of the critical vulnerability and a possible solution is provided back to the network application developer.

Once a new version of the network application CNF image is pushed to the container repository by the developer, the 5GASP security scanner automatically scans it for vulnerabilities ensuring the most up-to-date CVE database is utilised.

The 5GASP security scanner is set to pass even if high security vulnerabilities are detected, detailed mitigation notes are provided in the report to the developer. In all other cases the scan will pass, including scenarios with medium or low vulnerabilities detected which are reported but not considered fail criteria.


As the world embraces the transformative power of 5G technology, the security of CNFs within 5G networks becomes paramount. The foundation of this technological leap lies in ensuring the security of CNFs is not just a defensive strategy but a prerequisite for unleashing the full potential of 5G.

Trust is at the core of any successful network deployment. Ensuring the security of 5G CNFs instils confidence in users, service providers, and enterprises that rely on the capabilities of 5G. 5GASP is addressing security concerns head-on, ensuring consistent identification and categorization of vulnerabilities in network applications which enables stakeholders to build and maintain trust in the reliability, privacy, and overall integrity of 5G networks, fostering a conducive environment for widespread adoption.